Beginner having trouble with docker behind company proxy

crirvine · October 21, 2015, 4:57pm

I’m using DockerToolbox-1.8.3 on a Mac. From home, I’m not having any problems but from work where I am behind a company proxy, I’m having network connectivity problems. I’m using cntlm if that is relevant to anyone.

I’m following the getting started documentation for docker. At the step:

$ docker run hello-world

I get:

Network timed out while trying to connect to … images. You may want to check your internet connection or if you are behind a proxy.

After that I tried:

docker-machine create -d virtualbox --engine-env
HTTP_PROXY=/ --engine-env
HTTPS_PROXY= default

This time when I invoke:

$ docker run hello-world, I get:

Error while pulling image: Get https://index.docker.io/v1/repositories/library/hello-world/images: http: error connecting to proxy http://localhost:3128/: dial tcp 127.0.0.1:3128: connection refused

I’ve spent a lot of time trying to figure this out but with no luck. Getting pretty frustrated. Any help would be immensely appreciated. Thanks!!

programmerq · October 21, 2015, 5:09pm

It looks like you are running a proxy on 127.0.0.1 on your host. The Virtual machine that docker-machine creates has its own 127.0.0.1 that isn’t running a proxy. When docker tries to connect, it gets connection refused.

crirvine · October 21, 2015, 6:56pm

Hi Jeff,

Thanks a lot for your help.

You are correct. I am using cntlm (http://cntlm.sourceforge.net/) as an
interface to NTLM. cntlm creates a proxy that runs on localhost. On a mac,
I don’t know how to make terminal programs get past NTLM without using
cntlm.

So, I guess the question now becomes how to use Docker on a mac where cntlm
is installed.

Your help is greatly appreciated.

Chuck

ranjandas · October 22, 2015, 12:46pm

Hi,

The trick here is to run cntlm in gateway mode instead of cntlm listening only on localhost (127.0.0.1). If you run cntlm --help you can see the gateway option.

-g  Gateway mode - listen on all interfaces, not only loopback.

So you can run cntlm in gateway mode, either by running cntlm -g or making changes to cntlm.conf to run cntlm always in gateway mode

So once cntlm listens on all interface you can give the ip address of your machines interface that is connected to your office network as the proxy host. As the machine created using docker-machine has a virtualbox nat interface, it can connect to cntlm without any issues.

Please let me know if you need any more help on this.

Regards

crirvine · October 22, 2015, 3:22pm

Hi Ranjandas,

I tried your suggestions but the results unfortunately were the same. Here’s what I did:

Modified my cntlm.conf file to turn the gateway flag on.
Created a new default with:

docker-machine create -d virtualbox
–engine-env HTTP_PROXY=http://localhost:3128/
–engine-env HTTPS_PROXY=http://localhost:3128/ default

After doing this, when I invoke:

~ $ docker run hello-world

I still get:

~ $ docker run hello-world
Unable to find image ‘hello-world:latest’ locally
Pulling repository docker.io/library/hello-world
Error while pulling image: Get https://index.docker.io/v1/repositories/library/hello-world/images: http: error connecting to proxy http://localhost:3128/: dial tcp 127.0.0.1:3128: connection refused

I suspect that I haven’t fully understood your instructions. Maybe I just need another nudge in the right direction.

Thanks!!

programmerq · October 22, 2015, 3:41pm

since you have configured cntlm to listen to all your host’s IPs, you can connect to something other than 127.0.0.1.

Here’s an overview of the typical virtualbox networking setup (skip to the end if you want a tldr):

Say my laptop running virtualbox and cntlm has three IPs: 127.0.0.1 (lo0), 192.168.10.55 (en0), and 192.168.99.1 (vboxnet1). The exact IPs and interface names will vary with the exact setup, so double check yours using ifconfig.

My boot2docker VM is running as well, but it has its own network stack. In addition to the VM having its own 127.0.0.1 (lo), it’ll have another address like 10.0.2.15 (eth0), and 192.168.99.100 (eth1).

The eth0 on the VM is running with a virtualbox “NAT mode” network. From the point of view of my host, any connections coming through this interface just look like the virtualbox process on the host are making them directly. From the point of view of the VM, it’s a network with a gateway ip (10.0.2.2). I can double check this by looking at the default route by running the route command from inside the VM. The boot2docker VM will direct all its traffic through this interface by default.

The eth1 on the VM is running a “host only network”. There is no router/gateway configured on this interface. essentially the virtual interface in the VM is bridged with the vboxnet1 interface on my host. This is the IP that is returned if you run the docker-machine ip default command.

So, if I’m on the VM, and I want to reach the host, I have two main options.

I can connect to the host’s real ip on the network (192.168.10.55 on en0 in the above example).
I can connect to the host’s ip on the vboxnet1 interface (192.168.99.1) using the host-only networking mode.

The reason that you are getting connection refused still is that the VM still has its own 127.0.0.1, and any time you connect to 127.0.0.1 you are connecting to yourself-- the VM in this case.

tldr; probably HTTP_PROXY=http://192.168.99.1:3128/ will work.

programmerq · October 22, 2015, 3:50pm

Oh yeah! I forgot about another virtualbox trick!

The IP address that is the default gateway for a NAT mode interface will forward to the host’s 127.0.0.1:

HTTP_PROXY=http://10.0.2.2:8989

I can set up something that listens only on my host’s 127.0.0.1, and then access it from the VM by hitting 10.0.2.2.

Here’s some official docs on virtualbox’s networking modes as well: https://www.virtualbox.org/manual/ch06.html

crirvine · October 22, 2015, 3:58pm

Thanks a ton, Jeff. I tried your “tldr;” and it worked!!! I’ll study your network related explanation so that I understand the fix better, but I can see your expertise far exceeds mine in this area.

Thanks, again!!

Chuck

crirvine · October 22, 2015, 5:59pm

Hi Jeff,

Well, I’m broke again. I’m trying to work from home this afternoon. I am connected to my wireless network at home and VPN’ed to my work environment. I’m still running cntlm. I suppose that I need to configure a new machine for home use but I don’t know how to do that. I’ll start poking around to see if I can figure it out.

Any pointers would be greatly appreciated.

Thanks,
Chuck

programmerq · October 22, 2015, 7:10pm

The virtualbox NAT network by default will populate your exact DNS resolver from /etc/resolve.conf into the VM. If you change networks, this isn’t automatically updated. The easiest way to deal with it is to reboot the VM if you switch networks.

thinker3 · June 21, 2016, 3:18pm

Set proxy ip as ‘10.0.2.2’, works for me. Thank you.

rajach · January 23, 2017, 12:37pm

Hi,
I have followed above steps to replicate this issue in my end, but no luck. could you please help me out on this.

$ sudo docker run hello-world
Unable to find image ‘hello-world:latest’ locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: http: error connecting to proxy http://127.0.0.1:3128/: dial tcp 127.0.0.1:3128: getsockopt: connection refused.
See ‘docker run --help’.

i have configured the /etc/default/docker file in my end as well. plz find below for the same.

If you need Docker to use an HTTP proxy, it can also be specified here.

export http_proxy="http://127.0.0.1:3128/"
export https_proxy=“http://127.0.0.1:3128/”

please suggest me.